(Credit: Just_Super via Getty Images)
Several high-profile ransomware gangs have been abusing a previously unknown software flaw to easily hijack IT systems, according to Microsoft.
The zero-day vulnerability, dubbed CVE-2024-37085, affects VMware’s ESXi hypervisor product, which can let a user run virtual machines on a physical server. The use case is especially helpful for companies, enabling them to operate several virtual servers or a single machine.
However, Microsoft is indicating ransomware groups are abusing a zero-day flaw in ESXi, possibly for months now, to infiltrate and steal data from companies. The groups abusing the flaw include members affiliated with the BlackBasta, Medusa, and Akira ransomware strains, along with Scattered Spider.
The so-called "authentication bypass" vulnerability works when an attacker creates a group called “ESX Admins,” and adds their own users to it. Doing so lets an attacker gain full administrative privileges over the ESXi hypervisor, paving the way for the ransomware group to encrypt the virtual machines, steal data from them, or move to other areas of the victim’s IT network.
Microsoft uncovered the flaw when investigating a BlackBasta ransomware attack on a North American engineering firm. The attackers first gained access to the company’s network through a Qakbot malware infection, which had spread to a computer.
(Credit: Microsoft)The ransomware group then stole the login credentials of two domain administrators in the engineering firm’s network before exploiting the ESXi hypervisor flaw to gain full admin privileges over the system. With full access, the attackers then installed the BlackBasta ransomware on the virtual machines and other additional devices.
In response to the threat, VMware’s parent Broadcom has released a patch. However, Broadcom has rated the vulnerability as a “moderate" severity, which has received some criticism from security researchers since ransomware groups are actively exploiting it.
In the meantime, Microsoft is urging affected companies to install the Broadcom patch and check if their ESXi hypervisors contain evidence of the “ESX Admins” group—a sign that hackers already exploited the flaw within their system.
One mystery is how the ransomware groups discovered the vulnerability. Microsoft suggests the culprits may have paid for details about the zero-day exploit from other hackers, citing one such sale of an ESXi exploit that went for $1.5 million.
Microsoft adds: “Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target.”